Google Git
Sign in
coral / a71ch-crypto-support / 8dc1f1434da50a4b7361d651239c1f3f4f8cc25b / . / doc / sss / plugin / psa / Readme.html
blob: 1e1cdb6c53206031cabea24468ca5ccd6e22ab6c [file] [log] [blame]
<!DOCTYPE html>
<!--
Copyright 2019 NXP
This software is owned or controlled by NXP and may only be used
strictly in accordance with the applicable license terms. By expressly
accepting such terms or by downloading, installing, activating and/or
otherwise using the software, you are agreeing that you have read, and
that you agree to comply with and are bound by, such license terms. If
you do not agree to be bound by the applicable license terms, then you
may not retain, install, activate or otherwise use the software.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>8.3. Platform Security Architecture &#8212; Plug &amp; Trust MW v03.00.05 documentation</title>
<link rel="stylesheet" href="../../../_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="../../../_static/graphviz.css" />
<script id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
<script src="../../../_static/jquery.js"></script>
<script src="../../../_static/underscore.js"></script>
<script src="../../../_static/doctools.js"></script>
<script src="../../../_static/language_data.js"></script>
<link rel="index" title="Index" href="../../../genindex.html" />
<link rel="search" title="Search" href="../../../search.html" />
<link rel="next" title="8.4. Android Key master" href="../../../plugins/akm.html" />
<link rel="prev" title="8.2. Introduction on mbedTLS ALT Implementation" href="../mbedtls/scripts/readme.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
<script type="text/javascript" src="../../../_static/js/jquery-1.11.0.min.js "></script>
<script type="text/javascript" src="../../../_static/js/jquery-fix.js "></script>
<script type="text/javascript" src="../../../_static/bootstrap-3.3.7/js/bootstrap.min.js "></script>
<script type="text/javascript" src="../../../_static/bootstrap-sphinx.js "></script>
</head><body>
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<!-- .btn-navbar is used as the toggle for collapsed navbar content -->
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="../../../toc.html"><span><img src="../../../_static/NXP_logo_JPG.jpg"></span>
MW</a>
<span class="navbar-text navbar-version pull-left"><b>v03.00.05</b></span>
</div>
<div class="collapse navbar-collapse nav-collapse">
<ul class="nav navbar-nav">
<li class="dropdown globaltoc-container">
<a role="button"
id="dLabelGlobalToc"
data-toggle="dropdown"
data-target="#"
href="../../../toc.html">TOC <b class="caret"></b></a>
<ul class="dropdown-menu globaltoc"
role="menu"
aria-labelledby="dLabelGlobalToc"><ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../index.html">1. NXP Plug &amp; Trust Middleware</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../organization-of-documentation.html">1.1. Organization of Documentation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../folder-structure.html">1.2. Folder Structure</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sw-prerequisites.html">1.3. List of Platform Prerequisites</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../changes/index.html">2. Changes</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/pending.html">2.1. Pending Refactoring items</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/pending.html#known-limitations">2.2. Known limitations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_05.html">2.3. Release <code class="docutils literal notranslate"><span class="pre">v03.00.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_04.html">2.4. Release <code class="docutils literal notranslate"><span class="pre">v03.00.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_03.html">2.5. Release <code class="docutils literal notranslate"><span class="pre">v03.00.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_02.html">2.6. Release <code class="docutils literal notranslate"><span class="pre">v03.00.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_16_01.html">2.7. Release <code class="docutils literal notranslate"><span class="pre">v02.16.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_16_00.html">2.8. Release <code class="docutils literal notranslate"><span class="pre">v02.16.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_15_00.html">2.9. Release <code class="docutils literal notranslate"><span class="pre">v02.15.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_14_00.html">2.10. Release <code class="docutils literal notranslate"><span class="pre">v02.14.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html">2.11. Release <code class="docutils literal notranslate"><span class="pre">v02.12.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-04">2.12. Release <code class="docutils literal notranslate"><span class="pre">v02.12.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-03">2.13. Release <code class="docutils literal notranslate"><span class="pre">v02.12.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-02">2.14. Release <code class="docutils literal notranslate"><span class="pre">v02.12.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-01">2.15. Release <code class="docutils literal notranslate"><span class="pre">v02.12.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-00">2.16. Release <code class="docutils literal notranslate"><span class="pre">v02.12.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_03.html">2.17. Release <code class="docutils literal notranslate"><span class="pre">v02.11.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_01.html">2.18. Internal Release <code class="docutils literal notranslate"><span class="pre">v02.11.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_00.html">2.19. Release <code class="docutils literal notranslate"><span class="pre">v02.11.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_10_00.html">2.20. Release <code class="docutils literal notranslate"><span class="pre">v02.10.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_09_00.html">2.21. Release <code class="docutils literal notranslate"><span class="pre">v02.09.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_07_00.html">2.22. Release <code class="docutils literal notranslate"><span class="pre">v02.07.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_06_00.html">2.23. Release <code class="docutils literal notranslate"><span class="pre">v02.06.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html">2.24. Release <code class="docutils literal notranslate"><span class="pre">v02.05.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html#release-v02-04-00">2.25. Release <code class="docutils literal notranslate"><span class="pre">v02.04.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html#release-02-03-00">2.26. Release <code class="docutils literal notranslate"><span class="pre">02.03.00</span></code></a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../stack/index.html">3. Plug &amp; Trust MW Stack</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/features.html">3.1. Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/features.html#plug-trust-mw-block-diagram">3.2. Plug &amp; Trust MW : Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss-apis.html">3.3. SSS APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/se05xfeatures.html">3.4. SSS APIs: SE051 vs SE050</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/param_checks.html">3.5. Parameter Check &amp; Conventions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/i2cm.html">3.6. I2CM / Secure Sensor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/logging.html">3.7. Logging</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/feature-file.html">3.8. Feature File - <code class="docutils literal notranslate"><span class="pre">fsl_sss_ftr.h</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/platf-scp-from-fs.html">3.9. Using Platform SCP Keys from File System</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects.html">3.10. Auth Objects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-userid.html">3.11. Auth Objects : UserID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-aeskey.html">3.12. Auth Objects : AESKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-eckey.html">3.13. Auth Objects : ECKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html">3.14. Key Id Range and Purpose</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html#authentication-keys">3.15. Authentication Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html#trust-provisioned-keyids">3.16. Trust provisioned KeyIDs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../ex/doc/puf-scp03.html">3.17. SCP03 with PUF</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../doc/sss_heap_management.html">3.18. SSS Heap Management</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../building/index.html">4. Building / Compiling</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../building/windows.html">4.1. Windows Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/frdm-k64f-sdk.html">4.2. Import MCUXPresso projects from SDK</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/frdm-k64f-cmake.html">4.3. Freedom K64F Build (CMake - Advanced)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/imx6.html">4.4. i.MX Linux Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/rpi3.html">4.5. Raspberry Pi Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/cmake.html">4.6. CMake</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../scripts/cmake_options.html">4.7. CMake Options</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../demos/index.html">5. Demo and Examples</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#demo-list">5.1. Demo List</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#sss-api-examples">5.2. SSS API Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#cloud-demos">5.3. Cloud Demos</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#linux-specific-demos">5.4. Linux Specific Demos</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#opc-ua-example">5.5. OPC-UA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#arm-psa-example">5.6. ARM PSA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#se05x-examples">5.7. SE05X Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#openssl-examples">5.8. OpenSSL Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#tests-for-user-crypto">5.9. Tests for User Crypto</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#nxpnfcrdlib-examples">5.10. NXPNFCRDLIB examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#ease-of-use-examples">5.11. Ease-of-Use examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#semslite-examples">5.12. Semslite examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/index.html#puf-examples">5.13. PUF examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html">6.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#datastore-keystore">6.3. Datastore / Keystore</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#claim-codes">6.5. Claim Codes</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/edgelock2go_agent_apis.html">6.6. API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/readme_usage_examples.html">6.7. Usage Examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../semslite/doc/index.html">7. SEMS Lite Agent</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_overview.html">7.1. SEMS Lite Overview (Only for SE051)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_package.html">7.2. Update Package</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_usage.html">7.3. SEMS Lite Agent Usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_mgmt_api.html">7.4. SEMS Lite management APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_process.html">7.5. SEMS Lite Agent Package Load Process</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_api.html">7.6. APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_known_issue.html">7.7. SEMS Lite Known Issue</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/demo_update.html">7.8. SEMS Lite DEMOs</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="../../../plugins/index.html">8. Plugins / Add-ins</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../openssl/scripts/readme.html">8.1. Introduction on OpenSSL engine</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mbedtls/scripts/readme.html">8.2. Introduction on mbedTLS ALT Implementation</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">8.3. Platform Security Architecture</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/akm.html">8.4. Android Key master</a></li>
<li class="toctree-l2"><a class="reference internal" href="../open62541/readme.html">8.5. Introduction on Open62541 (OPC UA stack)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/wifiEAP/wifiEAP.html">8.6. WiFi EAP Demo with Raspberry Pi3</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/pkcs11.html">8.7. PKCS#11 Standalone Library</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cli-tool.html">9. CLI Tool</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/introduction.html">9.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/block-diagram.html">9.2. Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/pre-steps.html">9.3. Steps needed before running <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/running.html">9.4. Running the <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool - Windows</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/Provisioning/readme.html">9.5. CLI Provisioning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/readme_usage_examples.html">9.6. Usage Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_commands_list.html">9.7. List of <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_data_format.html">9.8. CLI Data formats</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_object_policy.html">9.9. Object Policies Through ssscli</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/upload_se05x_using_pycli.html">9.10. Upload keys and certificates to SE05X using ssscli tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../a71ch.html">10. A71CH</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_sss.html">10.1. A71CH and SSS API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_miscellaneous.html">10.2. Miscellaneous</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_legacy_host_api.html">10.3. A71CH Legacy API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_legacy_hlse_api.html">10.4. A71CH Legacy HLSE (Generic) API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_configure_tool.html">10.5. A71CH Legacy Configure Tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../appendix.html">11. Appendix</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/glossary.html">11.1. Glossary</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/vcom.html">11.2. APDU Commands over VCOM</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/vs2019-setup.html">11.3. Visual Studio 2019 Setup</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/ide_mcux.html">11.4. Setting up MCUXPresso IDE</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../dev-platforms.html">11.5. Development Platforms</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/se_uid.html">11.6. How to get SE Platform Information and UID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/version_info.html">11.7. Version Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../demos/Certificate_Chains/Readme.html">11.8. Certificate Chains</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/rjct_server.html">11.9. JRCP_v1 Server</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/platfscp.html">11.10. Using own Platform SCP03 Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/apdu_write_to_buffer.html">11.11. Write APDU to buffer</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../api/api_list.html">11.12. Plug &amp; Trust MW APIs</a></li>
</ul>
</li>
</ul>
</ul>
</li>
<li class="dropdown">
<a role="button"
id="dLabelLocalToc"
data-toggle="dropdown"
data-target="#"
href="#">Page <b class="caret"></b></a>
<ul class="dropdown-menu localtoc"
role="menu"
aria-labelledby="dLabelLocalToc"><ul>
<li><a class="reference internal" href="#">8.3. Platform Security Architecture</a><ul>
<li><a class="reference internal" href="#psa-se-driver-interface">8.3.1. PSA SE Driver Interface</a></li>
<li><a class="reference internal" href="#psa-concepts">8.3.2. PSA Concepts</a></li>
<li><a class="reference internal" href="#managing-keyids">8.3.3. Managing KeyIDs</a></li>
<li><a class="reference internal" href="#building-psa-for-trustzone">8.3.4. Building PSA for TrustZone</a></li>
</ul>
</li>
</ul>
</ul>
</li>
<li>
<a href="../mbedtls/scripts/readme.html" title="Previous Chapter: 8.2. Introduction on mbedTLS ALT Implementation"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm hidden-tablet">&laquo; 8.2. Introduc...</span>
</a>
</li>
<li>
<a href="../../../plugins/akm.html" title="Next Chapter: 8.4. Android Key master"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm hidden-tablet">8.4. Android ... &raquo;</span>
</a>
</li>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-3">
<div id="sidebar" class="bs-sidenav" role="complementary">
<div class="sidebar-header">
<h3>Plug &amp; Trust MW</h3>
</div>
<div class="row">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../index.html">1. NXP Plug &amp; Trust Middleware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../changes/index.html">2. Changes</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../stack/index.html">3. Plug &amp; Trust MW Stack</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../building/index.html">4. Building / Compiling</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../demos/index.html">5. Demo and Examples</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../semslite/doc/index.html">7. SEMS Lite Agent</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../../plugins/index.html">8. Plugins / Add-ins</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../openssl/scripts/readme.html">8.1. Introduction on OpenSSL engine</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mbedtls/scripts/readme.html">8.2. Introduction on mbedTLS ALT Implementation</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">8.3. Platform Security Architecture</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#psa-se-driver-interface">8.3.1. PSA SE Driver Interface</a></li>
<li class="toctree-l3"><a class="reference internal" href="#psa-concepts">8.3.2. PSA Concepts</a></li>
<li class="toctree-l3"><a class="reference internal" href="#managing-keyids">8.3.3. Managing KeyIDs</a></li>
<li class="toctree-l3"><a class="reference internal" href="#building-psa-for-trustzone">8.3.4. Building PSA for TrustZone</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/akm.html">8.4. Android Key master</a></li>
<li class="toctree-l2"><a class="reference internal" href="../open62541/readme.html">8.5. Introduction on Open62541 (OPC UA stack)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/wifiEAP/wifiEAP.html">8.6. WiFi EAP Demo with Raspberry Pi3</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/pkcs11.html">8.7. PKCS#11 Standalone Library</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cli-tool.html">9. CLI Tool</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../a71ch.html">10. A71CH</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../appendix.html">11. Appendix</a></li>
</ul>
</div>
<div class="row">
<form class="form" action="../../../search.html" method="get">
<div class="form-group">
<label for="Search">Search:</label>
<input type="text" name="q" class="form-control" placeholder="Search" />
</div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
</div>
<div class="body col-md-9 content" role="main">
<div class="section" id="platform-security-architecture">
<span id="psa-alt"></span><h1><span class="section-number">8.3. </span>Platform Security Architecture<a class="headerlink" href="#platform-security-architecture" title="Permalink to this headline"></a></h1>
<p>The Platform Security Architecture (PSA) by ARM is a holistic set
of threat models, security analyses, hardware and firmware
architecture specifications, and an open source firmware
reference implementation.</p>
<p>ARMmbed provides an interface for PSA APIs as a part of its mbed-crypto
project. Also, it supports SE driver interface which allows the user to
use its own implementation for PSA cryptographic functions. This is useful
for integrating Secure Element with mbed-crypto provided PSA interface.</p>
<p>For details on PSA specification, refer to <a class="reference external" href="https://armmbed.github.io/mbed-crypto/html/index.html">ARMmbed PSA Specification</a>.</p>
<div class="section" id="psa-se-driver-interface">
<h2><span class="section-number">8.3.1. </span>PSA SE Driver Interface<a class="headerlink" href="#psa-se-driver-interface" title="Permalink to this headline"></a></h2>
<p>The SE Driver interface allows the user to register Secure Element drivers
for various cryptographic operations. It is not necessary that one driver
should offer all cryptographic functionalities, we can register up to 4 drivers
which may offer different functionalities.</p>
<p>Cryptographic APIs are split in to the following :</p>
<ul class="simple">
<li><p>SE_KEY_MANAGEMENT - Key management APIs like import/generate/destroy</p></li>
<li><p>SE_MAC - Mac operations</p></li>
<li><p>SE_CIPHER - Symmetric encrypt/decrypt operations</p></li>
<li><p>SE_AEAD - AEAD/GCM operations</p></li>
<li><p>SE_ASYMMETRIC - Asymmetric sign/verify/encrypt/decrypt operations</p></li>
<li><p>SE_KEY_DERIVATION - Key derivation operations</p></li>
</ul>
<p>The driver may support any subset of cryptographic functionalities, mbed-crypto
offers software fall-back for APIs unavailable from SE.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>For SE interface, currently only SE_KEY_MANAGEMENT APIs, and asymmetric sign and
asymmetric verify APIs are supported.</p>
</div>
</div>
<div class="section" id="psa-concepts">
<h2><span class="section-number">8.3.2. </span>PSA Concepts<a class="headerlink" href="#psa-concepts" title="Permalink to this headline"></a></h2>
<dl>
<dt><strong>Lifetime</strong></dt><dd><p>The lifetime of an object refers to its persistence. An object can
either be <code class="docutils literal notranslate"><span class="pre">PERSISTENT</span></code> or <code class="docutils literal notranslate"><span class="pre">VOLATILE</span></code>. However, for SE based PSA
implementation, it refers to the module ID of SE Driver. Lifetime
identifies the scope of an object (where the object is stored and
which operations are available for it). This is used while performing
any operation on an object. We can use different lifetimes while
performing operations with the same object as long as different
drivers can access the object.</p>
</dd>
<dt><strong>Slot ID</strong></dt><dd><p>This is a 64-bit ID indicating where the object is loaded in the library.
PSA offers a maximum of 31 slots, which indicates that at a time, a
maximum of 31 objects can be used for any operation. If an object is
not being used, the object handle can be closed to free the slot. Since
there is no concept of an object being loaded for SE, the Slot ID will
refer to the Key ID of the object. Any application will remain unaware
of Slot ID and this should be managed internally. PSA library should
use this value to refer to any object.</p>
<p>For SSS based PSA implementation, we have a 1:1 mapping of Slot ID from
Key ID.</p>
<p>Also see <a class="reference internal" href="#psa-alt-keyids"><span class="std std-ref">Managing KeyIDs</span></a>.</p>
</dd>
<dt><strong>Key ID</strong></dt><dd><p>This is a 32-bit ID indicating the file name of the object which will be
stored on the file system. Apart from the actual object, PSA also maintains
an object file which will store metadata of the object such as policies and
supported algorithms. Before performing any operation, these values are validated.
The applications will use this value to refer to any object.</p>
<p>For SSS based PSA implementation, the contents of this file may also stored
on SE.</p>
<p>Also see <a class="reference internal" href="#psa-alt-keyids"><span class="std std-ref">Managing KeyIDs</span></a>.</p>
</dd>
<dt><strong>PSA Objects</strong></dt><dd><ul>
<li><p><strong>LIFETIME_FILE</strong> - This is SE specific file which can contain SE(driver) specific
persistent data</p></li>
<li><p><strong>TRANSACTION_FILE</strong> - This is a temporary file created at the time of any operation.
It will be deleted after the operation. This is also used to continue a pending
operation if, in case, the system reboots.</p></li>
<li><p><strong>OBJECT_FILE</strong> - This file corresponds to any object we create inside the SE. It
will store data about policy, supported algorithms, etc.</p>
<p>(keyID range is 0x20000000 - 0x2FFFFFFF)</p>
</li>
<li><p><strong>OBJECT</strong> - This is the actual object created inside the SE.</p>
<p>(keyID range is 0x30000000 - 0x3FFFFFFF)</p>
</li>
</ul>
<p>For any provided Key ID, the most significant nibble is masked out. The effective Key ID is
28-bit long. Also see <a class="reference internal" href="#psa-alt-keyids"><span class="std std-ref">Managing KeyIDs</span></a>.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>This logic of managing KeyIDs of various PSA objects is temporary and
it will be changed in the future.</p>
</div>
</dd>
</dl>
</div>
<div class="section" id="managing-keyids">
<span id="psa-alt-keyids"></span><h2><span class="section-number">8.3.3. </span>Managing KeyIDs<a class="headerlink" href="#managing-keyids" title="Permalink to this headline"></a></h2>
<p>Application can provide any keyID to be used with SE.
This will be mapped directly (1:1) with the slotID.
For internal usage, it is mapped to a 28-bit ID, masking
out the most significant nibble. Of all PSA objects,
<strong>lifetime file</strong>, <strong>transaction file</strong> and <strong>secure objects</strong>
will always be stored in secure element. The application
has an option to choose the storage for object metadata
files.</p>
<p>Providing the mask <code class="docutils literal notranslate"><span class="pre">#define</span> <span class="pre">PSA_ALT_ITS_SE_FLAG</span> <span class="pre">((0x1)</span> <span class="pre">&lt;&lt;</span> <span class="pre">28)</span></code>
in the keyID will ensure that object file is stored
in secure element. If this flag is not set, object file
will be stored in flash memory.</p>
<p>Flash storage currently has support to store only up to
8 object files.</p>
</div>
<div class="section" id="building-psa-for-trustzone">
<span id="psa-alt-building"></span><h2><span class="section-number">8.3.4. </span>Building PSA for TrustZone<a class="headerlink" href="#building-psa-for-trustzone" title="Permalink to this headline"></a></h2>
<p>PSA library is intended to run in ARM TrustZone. All examples will run in normal
world and link to PSA library to perform cryptographic operations. Build the library
for TrustZone with the following CMake configurations:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Host=lpcxpresso55s_s</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">HostCrypto=MBEDCRYPTO</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">RTOS=Default</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">SMCOM=T1oI2C</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">PROJECT=PSA_ALT</span></code></p></li>
</ul>
</div>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<p class="pull-right">
<a href="#">Back to top</a>
</p>
<p>
&copy; Copyright 2018-2020, NXP.<br/>
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 2.4.1.<br/>
</p>
</div>
</footer>
</body>
</html>